Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200816151059.GA22909@openwall.com>
Date: Sun, 16 Aug 2020 17:10:59 +0200
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Performance John in the cloud

On Sat, Aug 15, 2020 at 11:21:06PM -0400, Powen Cheng wrote:
> As for the cost / performance. I think I would have to wait for the
> hardware/software to catch up in the near future so I could use the GPU
> with scrypt KDF support to make this worthwhile.

I think this is a misunderstanding.  While ideally and long-term we'd
have scrypt in OpenCL and have that used by the various other -opencl
formats that need scrypt, we won't have this "in the near future", and
if/when we do have it performance might not be what you'd expect from a
GPU - rather, it will depend on scrypt parameters, where for some high
parameters CPUs will likely continue to perform better than GPUs.

I am not currently familiar with what scrypt parameters Ethereum wallets
actually use, and whether these vary from wallet to wallet or not, so I
don't have more specific expectations.

> Currently the CPU way is just a bit expensive at the moment and too slow in
> my opinion.

That depends on what you compare it to.  PBKDF2-SHA256 is just a more
GPU friendly algorithm than scrypt, so even with ideal implementations
scrypt isn't expected to be as much faster on a GPU vs. a CPU as we're
seeing for PBKDF2-SHA256.  And both are purposefully slow.

Also, as you probably know by now, e.g. a 10x increase in performance
brings only a moderate improvement in chances to crack a password.  You
need to focus the attack to improve your chances more significantly.

We have some charts of passwords cracked vs. candidates tested on slides
29, 30, 32 in this old presentation:

https://www.openwall.com/presentations/Passwords12-Probabilistic-Models/

While in practice you'd try more than one attack and while some specific
attacks have since improved, the above old per-attack charts still give
the right overall idea of efficacy of attacks not focused on a specific
partially forgotten password (or such) vs. number of candidates tested.
Please note the logarithmic scale on the x-axis.

> As for the test, I was wondering how john was able to perform the benchmark
> with
> $ john -test -form=ethereum-opencl
> 
> I only need to attack a wallet with 262144 iteration so 11k+ on NVIDIA
> Tesla V100 in p3.2xlarge does sound better.

Cool, but that's for PBKDF2-SHA256, not for scrypt.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.